This invention relates generally to secure transmissions of data and more particularly to dynamically obtaining security credentials to participate in a secured communication.
Securing data for transmission may be done in a variety of ways, where the data may be digitized voice, digitized video, computer data, such as e-mail, files, programs, etc. For example, the data may be encrypted using an encryption algorithm, such as Data Encryption Standard (DES), and a symmetric key. The encrypted data is provided to a receiving party, which utilizes its own copy of the symmetric key to decrypt the encrypted message. Data transmitted in this manner provides reliable security as long as the symmetric key is only known by sending and receiving parties. As such, a key issue with symmetric key encryption is providing the symmetric key to all parties without compromising its security. Note that the security of a symmetric key is compromised when an unauthorized party has obtained it.
Another encryption process utilized public/private key pairs, which includes, for each party, a private decryption key and a public encryption key. The key pairs, or security credentials, may further include a private signature key and a public signature verification key. The public encryption key and public signature verification key are publicly available, such that a sending party may obtain the public encryption key for each targeted recipient. Once the encryption keys are obtained, the sending party individually encrypts a message using a symmetric key that is encrypted once using the public encryption keys of each recipient. When a recipient receives the encrypted message, it utilizes its private decryption key to decrypt the message. To further enhance the security of the transmission, the sending party may sign the message using its private signature key. When each recipient receives the signed message, it retrieves the public signature verification key of the sending party to authenticate the signature.
Typically, in a security network, public security credentials of the parties (e.g., public encryption keys, signature verification keys, etc.) are stored in a repository, such as a directory and/or file system. The private security credentials of the parties (e.g., the private decryption key, private signature key, etc.) are stored locally in software or hardware of each parties"" computer. As such, for a user (i.e., a party) to encrypt an outgoing message, the user obtains the public security credentials of targeted recipients from the repository and accesses its private security credentials from its computer. Thus, as long as the user has access to his or her computer and the computer is coupled to the security network or offline with cached security information, the user may participate in secured communications.
As the needs for greater mobility and greater service continues to grow, encryption systems are being expanded to meet these needs. For example, a party may establish a secure communication with a predefined list of other parties (i.e., a recipient list) by identifying the group, as opposed to each recipient. As additional features are offered to a party, the party""s security credentials increases in size. In some encryption systems, a party""s security credentials may be distributively stored for more efficient access, requiring more sophisticated memory management techniques. As can be seen from these few examples, encryption systems are providing their users greater service options with improved service processing. A user can take advantage of these improvements provided the user can access its private security credentials and the public security credentials. As a user becomes more mobile within the encryption system, obtaining his or her private security credentials is often very difficult, thus limiting, or eliminating, the service available to a roaming user.
To provide a user with greater mobility, the user""s computer may include a cryptographic service provider that interfaces with an Internet server application to retrieve security credentials from a remote key manager or database. As such, a user may obtain a private key from the key manager and store it locally and may do so at each computer in the security network the user will access. While this allows the user to roam from computer to computer within the security network, each computer needs to include a registry that stores the security credentials for the user. As one can imagine, when the same data or pieces of the data are stored in a plurality of locations, it is difficult to maintain consistency and synchronization of the data across all storage locations.
Another technique to increase the mobility of a user includes storing the user""s private security credentials on a piece of hardware such as a smart card, PC card, or hardware token. For a user to roam from computer to computer in the security network, each computer must include the supporting security software and access to private security credentials of the user. As such, multiple copies of the user""s private security credentials needs to be maintained or a token must be transported from each computer to the next.
Therefore, a need exists for a method and apparatus that provides dynamic access to a user""s private security credentials without limiting the services available to a roaming user and without maintaining copies of the security credentials or moving a single copy.